Turkish hacker group diverts users away from high-profile websites

Sites affected included the Telegraph and Betfair, as unwary users put at risk of having passwords and other details stolen A Turkish hacker group diverted traffic to a number of high-profile websites including the Telegraph, UPS, Betfair, Vodafone, National Geographic, computer-maker Acer and technology news site the Register on Sunday night, putting unwary users at risk of having passwords, emails and other details stolen. Industry experts warned people not to log into sites such as Betfair because their details could be stolen. Some people viewing the sites thought that they had been hacked directly, with the sites appearing to show a message in Turkish by a group called Turkguvenligi, who last month carried out a similar attack on a Korean company. But in fact the sites themselves remained unaffected. The group had instead attacked the domain name system (DNS), which is used to route users to websites. A list of sites affected by the hack, including Microsoft in Brazil and Dell in South Korea, was posted on the zone-h website, used by hackers to list their successes. When a user types an address, such as “telegraph.co.uk”, the request is first sent to a DNS server which translates the human-readable address into a computer-readable one known as a “dotted quad”. In the case of the Telegraph, it would be 213.155.154.113 – controlled by Akamai, which spreads its content around the world. But the hackers changed the details recorded for the affected sites by hacking into the database for the DNS at the “domain name registrar” company which registered the site. DNS servers rely on each other to record and pass on updated details about the addresses of sites. Once the DNS records for a site is hacked at its registrar, the DNS servers around the world will start to copy and pass them on – meaning that more and more people will begin seeing the site as “hacked”, although the site itself is still functioning. However it can only be reached by typing in the original dotted quad address directly into a browser and that will remain the case until the registrar database is repaired; and it could take up to two days to replace the faked records. The DNS hack means that the hackers could direct users to any web page that they wanted. The Guardian’s investigations suggest that they were being redirected to a single page owned by a customer of a US company, Blue Mile Networks. Contacted by the Guardian, Blue Mile Networks said it was investigating the situation. The hack seems to have been carried out early on Sunday evening. The hackerssaid the targeted Ascio.com, which registers domain names, and Netnames.co.uk, among others. On a Twitter feed, the hacking group said that they did it for “entertainment” and told the Guardian via Twitter that the purpose was: “Millions of dollars, large systems, small weaknesses and what I could do. Just for fun.” Q&A with the hackers The Guardian sent a number of questions to the Turkish hacker group, Turkguvenligi. Here are those questions, and the group’s responses: Q. Who did you hack? Netnames.co.uk or Ascio? Or both? It’s unclear. A. In fact both of them in addition with some other ones. Q. Was this planned for a long time, or did you just find a weakness by chance? A. We usually choose some big targets and find a way to access them. sometimes it takes months. but harder makes it funnier not by chance because we are expert of all kinds of web vulnerability holes. Q Why target them? A. we target big domains. which company owns them differs. Q Did you also do the South Korea hack at http://www.zdnet.com/blog/btl/epson-hsbc-korea-domain-registrar-hacked-100000-domains-affected/55864 ? A. Yep. in fact we attacked there in the past but forgot some domains to hack so reowned it. you can check other korean domain mirrors here : http://www.zone-h.org/archive/notifier=turkguvenligi.info/page=2 Q. If so, what’s so special about DNS hacking? Is it that it goes wider, or is it easier than hacking lots of sites, or ..? A. First we target site itself. if we cant find a vuln. on the script of site we try accessing server or vps. If none of them works we try domain company. The hardest one is reaching the domain company but if you can succeed there will be a treasure for you Hacking Internet Turkey Middle East Europe Telegraph Media Group Newspapers & magazines National newspapers Newspapers Betfair Travel & leisure Charles Arthur guardian.co.uk

Posted by on September 4, 2011. Filed under News, Politics, World News. You can follow any responses to this entry through the RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.